Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
-
Has anyone that runs an smtp server behind snort been able to get the smtp preproc to work correctly. If I enable it the preproc, it will start blocking the traffic to the server with bad alerts.
-
Hi ermal,
good job. For my purposes, snort is running smoothly now.
I have also solved my problem of the 2nd interface on the LAN side that apparently did not work at all, where I was using the ET p2p rules. These rules worked on the WAN side, but not on the LAN side.
There's no need to go int details here, but I'd like to say that it is (probably always was) necessary to look at the definition of the rules and how your environment is defined. If a rule is based on the HOME_NET, the local machines that are being monitored should also be part of the HOME_NET or the rule is essentially not active. In my case I had to augment the default HOME_NET by the client subnet to get the behavior I wanted.
-
Fesoj,
re-added sub-nets to the HOME_NET list, i had mistaken it with something else.
Just re-install and should be good. -
Hm, but now we have the WAN subnet back as 24 CIDR in HOME_NET
-
Yeah its ok judex.
-
@ermal:
Added some more suggestions/issues to post http://forum.pfsense.org/index.php/topic,51387.msg275159.html#msg275159
If you dont mind changing commenting out some php code, you can get your 2nd WAN interface back:
lines 82 and 83 in /usr/local/www/snort/snort_interfaces_edit.php
make them look like this:
# if ($natent['interface'] == $_POST['interface']) # $input_errors[] = "This interface is already configured for another instance";This allowed me to create another WAN interface, and it has a different ID:
ps -aux | grep snort root 61341 23.7 ?? Ss 1:56PM 0:01.29 /usr/pbi/snort-i386/bin/snort -R 36745 -D -q -l /var/log/snort/snort_em336745 --pid-path /var/run --nolock-pidfile -G 36745 -c /usr/ root 59209 0.2 ?? Ss 1:54PM 0:01.13 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/ root 3143 0.0 0.3 13048 8384 ?? Ss 1:54PM 0:00.06 /usr/local/bin/barnyard2 -r 60770 -f snort_60770_em3.u2 --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_60770_em3 root 35410 0.0 0.0 3536 1256 0 S+ 1:56PM 0:00.01 grep snortUse event_filter configurations for this it makes no sense to do this!
The above quotes are from the v2.4.2 issues posting, but I see the issue still applies, so I'm bringing the discussion here.
@Ermal: event_filter does not do what I want. There are categories of rules that I wish to log, but don't want to block if they are seen. I simply wish to monitor how prolific the event is. Since there is no way to block some categories/rules while also only alerting for other categories without using two instances of snort on the same interface, it seems necessary to have this feature.
Now, let's assume I'm mistaken and there is a way to have only one instance where some things are blocked while some are only noted in the snort logs using some filter command. I would have to activate all of the categories/rules I want running on my interface and then manually identify all of those gen_id and sig_id numbers that I only wanted alerted, but not blocked. Since those rule files contain multiple gen_id's I can't so something like "gen_id=xxx, sig_id=0" to change how a whole category is handled. What you are asking us do to is an administrative nightmare. Also, having all of this running through one instance means all snort matching will occur on one CPU core (since, last I checked, Snort wasn't very multi-core friendly) while how I run Snort allows multiple cores to be used, thus helping to prevent snort from getting swamped with requests.
So, I ask you, even though you don't see the sense in it, please implement the edit that Cino suggests so multiple instances of Snort will run on one interface. If nothing else, it makes management of Snort easier.
-
I have two other questions.
1.) Why is it that I can only save snort alerts to the system logs now? Used to be we could choose between unified2 format, tcpdump, or system logs. What was the reason for the change?
2.) What happened to "Define SSL_IGNORE"? It's not on the preprocessors page nor does it seem to be anywhere else.
-
Reinstall you will be able to configure 2 ifaces.
The logtype was removed because:
barnyard logging will be enabled when you enable barnyard
alerts tab uses alert_csv formatsyslog exporting remains the other thing you want to enable disable.
-
@ermal:
Reinstall you will be able to configure 2 ifaces.
The logtype was removed because:
barnyard logging will be enabled when you enable barnyard
alerts tab uses alert_csv formatsyslog exporting remains the other thing you want to enable disable.
Thank you, Ermal. Is it still true with barnyard2 that the sql server is not installed on pfsense? I'm a home user, myself, so I don't have extra servers just lying around simply for a sql database. I know it isn't "recommended" to have sql server running on an Internet facing system, but if it is locked down to only the localhost interface, the risks are acceptable for a home user. Hmmm. I wonder if a "mySQL for Barnyard2" package could be built? You obviously build packages, Ermal. Do you mind pointing me to the documentation on how one adds a package to the pfSense Package Manager?
-
@ermal:
Reinstall you will be able to configure 2 ifaces.
The logtype was removed because:
barnyard logging will be enabled when you enable barnyard
alerts tab uses alert_csv formatsyslog exporting remains the other thing you want to enable disable.
Just did the reinstall. I get this error:
FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
The funny part is I'm not even using bad-traffic.so. Not sure why it is even loading.
-
breusshe because snort is just going to dump/exit if i put only enabled so rules and libs.
-
@ermal:
Added some more suggestions/issues to post http://forum.pfsense.org/index.php/topic,51387.msg275159.html#msg275159
If you dont mind changing commenting out some php code, you can get your 2nd WAN interface back:
lines 82 and 83 in /usr/local/www/snort/snort_interfaces_edit.php
make them look like this:
# if ($natent['interface'] == $_POST['interface']) # $input_errors[] = "This interface is already configured for another instance";This allowed me to create another WAN interface, and it has a different ID:
ps -aux | grep snort root 61341 23.7 ?? Ss 1:56PM 0:01.29 /usr/pbi/snort-i386/bin/snort -R 36745 -D -q -l /var/log/snort/snort_em336745 --pid-path /var/run --nolock-pidfile -G 36745 -c /usr/ root 59209 0.2 ?? Ss 1:54PM 0:01.13 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/ root 3143 0.0 0.3 13048 8384 ?? Ss 1:54PM 0:00.06 /usr/local/bin/barnyard2 -r 60770 -f snort_60770_em3.u2 --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_60770_em3 root 35410 0.0 0.0 3536 1256 0 S+ 1:56PM 0:00.01 grep snortUse event_filter configurations for this it makes no sense to do this!
The above quotes are from the v2.4.2 issues posting, but I see the issue still applies, so I'm bringing the discussion here.
@Ermal: event_filter does not do what I want. There are categories of rules that I wish to log, but don't want to block if they are seen. I simply wish to monitor how prolific the event is. Since there is no way to block some categories/rules while also only alerting for other categories without using two instances of snort on the same interface, it seems necessary to have this feature.
Now, let's assume I'm mistaken and there is a way to have only one instance where some things are blocked while some are only noted in the snort logs using some filter command. I would have to activate all of the categories/rules I want running on my interface and then manually identify all of those gen_id and sig_id numbers that I only wanted alerted, but not blocked. Since those rule files contain multiple gen_id's I can't so something like "gen_id=xxx, sig_id=0" to change how a whole category is handled. What you are asking us do to is an administrative nightmare. Also, having all of this running through one instance means all snort matching will occur on one CPU core (since, last I checked, Snort wasn't very multi-core friendly) while how I run Snort allows multiple cores to be used, thus helping to prevent snort from getting swamped with requests.
So, I ask you, even though you don't see the sense in it, please implement the edit that Cino suggests so multiple instances of Snort will run on one interface. If nothing else, it makes management of Snort easier.
My fix to this would be to make alert_pf understand a kind of suppress type list to block also.
This would make your setup usable with one instance.
Though for now i want go into that implementation anyhow. -
@ermal:
Reinstall you will be able to configure 2 ifaces.
The logtype was removed because:
barnyard logging will be enabled when you enable barnyard
alerts tab uses alert_csv formatsyslog exporting remains the other thing you want to enable disable.
Thank you, Ermal. Is it still true with barnyard2 that the sql server is not installed on pfsense? I'm a home user, myself, so I don't have extra servers just lying around simply for a sql database. I know it isn't "recommended" to have sql server running on an Internet facing system, but if it is locked down to only the localhost interface, the risks are acceptable for a home user. Hmmm. I wonder if a "mySQL for Barnyard2" package could be built? You obviously build packages, Ermal. Do you mind pointing me to the documentation on how one adds a package to the pfSense Package Manager?
Just add yourself the mysql-server package.
-
Ermal, when enabling sensitive data pre-processor, whitelisted IPs are possibly ignored. I've added an IMAP provider to the whitelist, however this whitelisted IP is being blocked by sensitive data email rule. Adding to suppress list seems to work after restarting interfaces. AMD64, 2.0.1
Cheers,
Dennis. -
So, to deal with the error I'm getting after the latest reinstall, I dumped my config and uninstalled Snort. I reinstalled, and started to reconfigure. On the "Server" tab in one of the instances I'm configuring, I tried adding some port numbers, which I've done in the past, and got the following message:
The following input errors were detected:
Only aliases are allowed
For instance, I'm trying to set "Define IMAP_PORTS" to the value: 143,993. The field states that "143" is the default and suggests examples "25,443" and "5060:5090". However, the above error message seems to imply I need to use some sort of alias now. Is this a new bug?
-
That is a new feature!
https://github.com/bsdperimeter/pfsense-packages/commit/92fc14e2e523e2c314868fd861a80d0a25bd7549
Judged by last days commits ermal is unstoppable at the moment ;D -
breusshe,
aliases are defined under Firewall: Aliases:
Worked for me when I modified the HOME_NET.
-
@ermal:
Just add yourself the mysql-server package.
Yeah, I've tried that before. The problem is that mysql-server isn't part of the pfsense repository and the release that pfsense 2.0.1 is built from doesn't exist any longer in FreeBSD's repos. So, to get server, I have to upgrade mysql-client, which forces me to update other stuff as well. None of it is from the normal repos for pfsense which causes problems with package upgrades in the future. So, to do this, I'd have to get mysql-server (of the correct version) and its dependencies added to the pfsense repos and installable from the Package Manager.
-
That is a new feature!
https://github.com/bsdperimeter/pfsense-packages/commit/92fc14e2e523e2c314868fd861a80d0a25bd7549
Judged by last days commits ermal is unstoppable at the moment ;DAh, okay. I'll add aliases there. Thanks, Judex and Fesoj.